Skills and Qualities of Security Leaders. It’s Not so Simple
We talk in cybersecurity about the skills and qualities that leaders such as Chief Security Officers (CSO) and Chief Information Security Officers (CISO) must have to be successful. We can extend that more broadly to anyone in security executive or security leadership positions. The key requirements aren’t controversial:
- Understanding of security risk management
- Good understanding of cybersecurity and relevant compliance requirements
- Able to design, budget, and implement security programs
- Good communicator and able to talk to the business
- Ability to nurture a security culture
- Good in motivating teams and develop talent
However, I don’t believe that those core skills alone make for effective security leaders. The average CISO tenure is just two years and two months or even shorter. That doesn’t seem long enough to see security programs through. Something isn’t working.
There are various extra factors that determine whether the skills, talent, and experience of security leaders match the organizations they work for. For organizations, it’s important to select and develop security leaders that align with their goals. Security leaders must be selective in picking roles and organizations that suit their talent and skills to be successful and effective. A mismatch can easily lead to failed and ineffective security programs, wasted resources, and much frustration and burnout.
Let’s examine some of these factors.
Size and Maturity of the Organization
Whether the organization is a startup, a small or medium-sized business, or a large enterprise matters, as does the stage of the organization’s lifecycle. Leaders unfamiliar with navigating and finding support in large organizations can thrive in smaller organizations. Whether the organization is young and nimble is a different climate than an organization that is a hundred years old and has deeply entrenched traditions. Family-run, privately owned, or publicly traded ownership all pose different challenges in how to interact with the organization’s leaders. Is the organization undergoing rapid growth or is it a more settled, steady, stable business. Helping larger organizations integrate acquisitions in various stages of maturity requires a special skill.
Technology Cycle and Velocity
Different organizations have different appetites for technology adoption. Some want to be earlier adopters, while others run on slower or on longer technology timelines. Organizations can have a long legacy tail and technical debt. Some are embarking on or in the middle of a digital transformation. Others are adopting technology less strategically, through the rogue adoption of SaaS solutions to bypass an IT organization that isn’t responsive to the needs of the business. Organizations are running on-premise or their own data centers, in public cloud, or some form of hybrid cloud.
Level of Cybersecurity Maturity
Organizations are at different stages of maturity in cybersecurity and some leaders are better setting up security programs from scratch. Other leaders are better at running established teams or making teams run more efficiently. Even where security teams are mature, they can be transitioning from data center to cloud, or the organization wants to use such a transition to improve their security posture. Some organizations want to be leaders in security, while others care about keeping the lights on or meet compliance goals.
I’m notoriously frugal due to many years in operational roles, and prefer to work within constraints. So, I tend to default to spending as little as needed and maximize value and effectiveness. That approach thrives during cost reduction exercises or getting as much value out of flat or limited security budgets as possible. But an organization with a bigger budget to invest and building new capabilities requires a different set of skills. Such as situation requires knowing how to select complementary solutions quickly and get them operational.
Organizations have different capacities to build and maintain their own security solutions, or bring in and operate third party security solutions. Others bring in a managed service provider. Leaders with a background in security engineering don’t fit well in an organization that is explicitly outsourcing security capabilities.
Organizations can have high expectations that don’t match the size of the budget. It takes special talent to make that clear to executives and either raise the investment or lower expectations of risk reduction.
Some organizations are highly visible to the public. Such organizations will require security leaders who are comfortable in front of a camera and have a media presence. This is especially the case where security is key to customer trust. If an organization has been in the media before because of security incidents or is under high scrutiny, the role requires diplomacy, or experience with regulators and law enforcement.
This public visibility can require being comfortable in a suit rather than a hoodie depending on the organization’s image.
Other organizations can reasonably expect only rarely to make public appearances.
Relative Criticality of Security
Maybe a shock to some cybersecurity professionals, but security risks aren’t always key business priorities. What is critical for the organization to protect will differ from organization to organization depending on its core business. The impact of security risks in comparison to other business-, geopolitical-, financial-, or legal risks vary.
For critical infrastructure, or where security is core to the business success or even survival, cyber resilience is of key importance. But the responsibility also comes with added burden and stress. Even when well resourced, the eventuality of a catastrophic event that could affect lives can add a mental pressure not every security leader is willing or able to manage.
In other organizations, where security isn’t core to the business the risk of a data breach can be acceptable. For these organizations, an apology, requesting customers to change their passwords and enable MFA is a reasonable resolution of a breach. If that isn’t acceptable to you as a security leader, it will only lead to frustration and disillusionment.
An important factor is the industry of the organization. Healthcare manages sensitive and private personal data, directly impacts human lives, yet has to deal with a landscape of medical devices and systems. The Finance and Defense industries are under strict regulations and are primary targets of criminals and nation states. Manufacturing or Mining adds a whole layer of Operational Technology and equipment with decades-long lifecycles. Logistics and Distribution by definition needs to secure people, equipment, and goods that are on the move and cross borders. All these industries require specific domain knowledge and different approaches.
All companies are software companies now in some way. In the Technology industry, sophisticated product security, secure development lifecycle processes, and responsible disclosure programs are required. Cloud companies require experience in managing security at mass scale. The cybersecurity industry in particular is expected to focus on secure development, given the extra reputational damage when security solutions prove to have security problems.
The public sector adds a special layer of regulation, which in turn varies around the globe. The size of the public sector differs by country/region. It can extend well beyond direct government services to state-owned and operated energy production and distribution, water and other utilities, or oil companies, for instance.
More requirements for confidentiality and privacy apply, or require secrecy clearances you don’t have or have restrictions you’re not willing to live by.
I’ve met CISOs in public education and universities. Their experiences and circumstances couldn’t be more different from my own.
Organizations can be hierarchical, consensus-model, or federated into different business units. There are many people with a military background in cybersecurity in the U.S.. They’ll naturally feel more at home in stricter command structures where directives cascade more easily down into action. But others can be more suited to more loose and autonomous structures where persuasion and collaboration are required to get teams on board.
Some organizations have a vast network of partners and suppliers, or work mainly with contractors instead of regular employees. Other organizations structure their IT as a separate service provider to different independent companies, while yet others are highly centralized.
Some are conservative and careful, some are ready to disrupt and not afraid to break things along the way.
When we say that security leaders must get close to the business, we must ask ourselves what business are we talking about? What suits us as security leaders and what do organizations require? Both organizations and security leaders must carefully consider what they need to be successful. It will determine whether security programs succeed or fail.